Won 3rd place of the German IT-Security Award

The Horst Görtz Foundation hosted on October, 16th 2016 for the 6th time the German IT-Security Price (Deutscher IT-Sicherheitspreis). A jury of acknowledged IT-security experts from industry and academia chose among 45 contenders the most market-relevant innovations for IT-security.

The jury rewarded our solution with the 3rd place.

Definition & Examples

What is Social Engineering?

Social Engineering is the intelligent exploitation of the natural human tendency to trust people with the intend to commit a cyber attack.

Examples

An attacker pretends to be a technician of your telco provider and requests the password for your router.

The victim gets manipulated to install malware on his/her system by an attacker who pretends to be an employee of an operating system vendor. The attacker asks the victim to install a system update which contains malware.

Social Engineering Training

Problems

Social Engineering is difficult to train, because it isbased on complex human behavioural patterns.

Trainings are often generic, boring,and without (lasting) effect.

Penetration Tests can cause subsequent problems:

Frustation of employees

Violation of privacy laws and regulations

Only a snapshot

Our Solution

Why a Game?

Learning about Social Engineering while you are playing. You will be able to detect attacks and identify vulnerabilities.

Gameworld, nobody makes a mistake, just assumptions.

Creates curiosity, excitement and fun.

38,4 %

of all companies suffer from Social Engineering attacks.

18,3 %

of all companies train their staff to resist Social Engineering attacks.

20,1 %

of all attacks hit staff that is not trained to resist Social Engineering attacks.

86 % of all IT-Security Attacks contain a Social Engineering element.

85 % of all CISOs are not satisfied with their Security Awareness Program.

99 % of all Social Engineering Attackers are satisfied with their Chances for Success.

Source: These numbers are based on our experiences and assessments.

Overview

Our Serious Game Hatch

500

Satisfied Players

10

Publications

5

Scenarios

3

Languages

Research

Our solutions are based on our research results. We analyze, evaluate and publish our foundational research and develop services and products based on these results. For this purpose, we collaborate with leading universities and research institutes in Germany and worldwide e.g. UK and China.

Evaluation of the Serious Game Hatch

We have evaluated our game scientifically. The study was conducted with full-time employees with an academic degree of various companies and students. Overall 250 players participated in our study.

The significant majority of all players have stated that they increased their knowledge about social engineering, have elicited new threats and even that they could apply the gained knowledge in their daily work.

Interactive Security Awareness Training Offers

with our Serious Games HATCH and PROTECT

Game with Realistic Scenario

HATCHInhouse Training

Players attack a simulation of their company

Realisitc attacks are identified

Discussions and ratings of attacks

Game with domain-specific Scenario

HATCHInhouse Training

Players attack fictitious personas

Multiple domain-specific scenarios

Creation of further scenarios possible

Online Game

PROTECTRemote Training

Players defend against attacks

Attacks based on experience

Immediate feedback on reactions

Core part of our training is the card game HATCH (Hack and Trick Capricious Humans) which teaches everyone to identify and prevent Social Engineering attacks (which attack for example as telco service staff and motivate the installation of malware).

We aim
for simple and effective solutions.

We are
passionate for our Ideas.

We work
with integrity, confidentiality and respect.

We can
help you to protect your company against social engineering.

Our simple rules and content allow players to understand the foundation of social engineering during training. We have invented HATCH based on our common research interest and continue to evolve our solution with the help of collaborations with leading academic institutions.

What we offer

Training and Consulting

Interactive Security Training & Coaching

We offer trainings concerning all topics focusing on the human factor in cyber security. Our trainings motivate to participate and are designed for non-security experts.

Furthermore, we offer coaching for CISOs and IT-security experts with the focus on raising interest in security topics of all employees.

Threat Analysis & Threat Intelligence

We support you in analyzing the data collected while playing our serious game. The data allows us to identify precise threats regarding social engineering for your company.

We consult you with freely available information regarding threats for your company that are relevant and how these should be prioritized based on the results of the card game.

Longterm Strategy & Standard Compliance

After a number of trainings and analysis have been conducted and results exist, we offer advice on your longterm training strategy for your company including the identification of security metrics and success measurements for your training.

We support integrating the trainings in your security management approach including support for documentation and quality control.

Holistic Security Awareness

Portfolio

We offer a constructive program of measures, which starts with Awareness Training with our Serious Game Hatch

a further analysis of the collected data during playing our serious game HATCH allows a threat analysis.

The analysis allows a permanent improvement of the training to suit your company best.

The threat analysis is basis for improving the defense against Social Engineering via precise and targeted countermeasures. These protect your companies fortune and data.

Finally, the documentation of the steps above can be included in security certification efforts, e.g. a realization of the ISO 27001 Control A.7.2.2 - Information security awareness, education and training.

The Social Engineering Academy (SEA) GmbH is a Partner in the

EU-Project Threat Arrest

THREAT-ARREST (Cyber Security Threats and Threat Actors Training – Assurance Driven Multi-Layer, end-to-end Simulation and Training) is a three-year research and innovation project receiving funding from the EU Commission (4,988,837.50€). It aims to address the ever-expanding landscape of advanced cyber attacks and to mitigate these attacks through advanced security training. THREAT-ARREST will develop a training platform to adequately prepare stakeholders with different types of responsibilities and levels of expertise in defending high-risk cyber systems and organisations to counter advanced, known and new cyber attacks. The effectiveness of the platform will be validated from technical, legal and business perspectives through real cyber systems pilots in the areas of smart energy, healthcare, and shipping. The SEA GmbH is contributing Serious Games for social engineering defence for the integrated Threat Arrest platform.

The project, which started on 1 September, is being carried out by a Consortium of 15 partners, including the Foundation for Research and Technology - Hellas, Simplan, Sphynx Technology Solutions, the University of Milano, Atos, IBM Israel Science and Technology, Social Engineering Academy, Information Technology for Market Leadership, Technical University Braunschweig, CZ.NIC Association, Danaos Shipping Co, TÜV Hellas (TÜV Nord), Agenzia Regionale Sanitaria della Puglia, and Bird & Bird.

The THREAT-ARREST project is financed by the Horizon 2020 Framework Programme of the European Union under Grant Agreement number: 786890.